Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.

You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.

Users seeking to run Red Hat Fedora on a Windows 8-certified computer may be forced to shell out $99 to bypass Microsoft's new UEFI Secure Boot feature, according to Red Hat Linux developer Matthew Garrett. That, he said, is the best compromise the company could devise to ensure users could easily load Fedora on new PCs without giving itself an unfair edge over less-influential Linux vendors.

Red Hat's plans, as outlined in Garrett's personal blog, have generated considerable ire from members of the Linux community. In response to Garrett's post, critics have accused Red Hat of "selling out" to Microsoft in forcing users to pay to access the company's signing service if they want to run Fedora.

Most hardware you'll be able to buy towards the end of the year will be Windows 8 certified. That means that it'll be carrying a set of secure boot keys, and if it comes with Windows 8 pre-installed then secure boot will be enabled by default. This set of keys isn't absolutely fixed and will probably vary between manufacturers, but anything with a Windows logo will carry the Microsoft key[1].

We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.

An alternative was producing some sort of overall Linux key. It turns out that this is also difficult, since it would mean finding an entity who was willing to take responsibility for managing signing or key distribution. That means having the ability to keep the root key absolutely secure and perform adequate validation of people asking for signing. That's expensive. Like millions of dollars expensive. It would also take a lot of time to set up, and that's not really time we had. And, finally, nobody was jumping at the opportunity to volunteer. So no generic Linux key.

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key...

I'm guessing this will end up being one of those "inspired" (pissed off) too many of the wrong people stories that ends up with the TPM chips/boot keys being cracked. Granted it might require a soldering iron ... But it'll happen.

It's a payment to Verisign for the vendor to be able to sign the binaries, right? Sort of like with SSL? Or am I misunderstanding something?

If I'm not, so Fedora pays Verisign, and signs their binaries- where does the user come into this?

I understand from the point that people compile their own kernels and such so this is problematic in terms of running your own compiled version of Linux on your own machine which seems bad- but the article says something about "Red Hat users face service fee to run Fedora on Windows 8 machines", but that doesn't seem it at all... or am I misunderstanding?

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want), but it's cheaper than any realistic alternative would have been.

Sure, why go through all the trouble of a complex and possibly unstable hack if the chip can be circumvented with a few well placed jumpers. Granted it does require a bit if skill ... But then again so does Linux.

Well linux installer is very simple these days(assuming user knows partitioning and point-n-click) and I can't compare it with soldering skills. If this bootkey restriction takes up then most of the branded PCs will behave like old chinese console black dots which were STP (single time programmable). sort of like use and throw machines?

The problem isn't howmuch or who pays for it. The problem is that UEFI drives a wedge down the middle of what was formerly an open hardware ecosystem. Now there are "Windows PCs" and "non-Windows PCs" on the hardware level. Microsoft has used its numbers to effectively get its own proprietary hardware platform (like Apple) without actually having to manufacture it. Which is the best of all possible worlds in that they can control a huge segment of the mobo/CPU market without having to "own" anything. A very handy argument to make when accused of anticompetitive business practices in the USA.

This could, of course, be easily eliminated as a problem if all the PC manufacturers would include a simple mechanism (a switch on the back of the case or a jumper on the mobo) to turn off UEFI without having to go through heroics. But I wouldn't hold my breath waiting to see that happen. I'm sure there will be some purely token hand wringing and breast beating on the part of certain manufacturers (Dell et al.) over this. But nothing of substance will emerge from it.

The other problem is that this will effectively eliminate dual-booting to an alternate OS. Unless it's RedHat. If Windows 8 won't run without UEFI - and only RedHat (currently) can run WITH it - then your Linux option is RedHat. A sorry thing in that RedHat (along with Suse and Canonical) have abandoned anything but lip service about platform independence in the interest of cozening up to Microsoft in order to get a share of whatever bones and scraps Redmond deigns to toss them.

As a side benefit this move also creates a rift in the Linux world. And a lot of bad blood. Something Microsoft seems intent on exploiting by playing one faction off against another while maintaining it only wants what's best for the end-user.

I fully expect Microsoft will start patent trolling in earnest once a few more key Linux distros sign onto Microsoft's notion of a new world order. (Which in case you don't know is: One World with every computer running some version of a Microsoft OS - with all other operating systems running as VMs under it.) They'll start by picking off distros one by one like they have the smartphone vendors, getting gradually larger and larger players to cave in on their demands for blackmail and protection money. Once that's done it's a small matter to engage Debian in a protracted legal battle with the goal of litigating it out of business - but without ever letting it reach a judge or jury for a formal ruling. Especially since the last thing Microsoft could possibly want is for such a case to be decided purely on technical and legal merits.

With Linux dead, or reduced to a satrap in the Microsoft Empire, and no open hardware computing platform available for a "new" alternate OS to emerge on, Microsoft will have achieved a virtual monopoly on the world's mainstream computing environment.

All of which seriously sucks. And will largely mark the end of most of the rapid innovation in computing we've enjoyed for the last 30 years.

It's already working that way in the smartphone and mobile computing world. So why not drag the desktop and server market into it just to be consistent?

Like Joni Mitchell so aptly said: "Don't it always seem to go that you don't know what you got till its gone?"

Again we are assuming that things to happen one sided. In tech world things don't work that way. I feel in between they'll also lose the customers on their platform if they act so adamant about it. Many people who purchase windows per-installed will most likely use linux or alternative OS and run windows in virtual machine. That way they can get their work done with no hardware limitation. I don't think canonical will follow this path, If they were to be following this route they could have sold "ubuntu for mobile" directly to some closed source telecom hardware vendor. As for patent trolling, linux will then become more of hackers OS and will continue to get distributed opposing all patent crap. It happened before with .mp3 format on all platforms and will continue to happen again if the patents are used to stop innovation.

The problem isn't howmuch or who pays for it. The problem is that UEFI drives a wedge down the middle of what was formerly an open hardware ecosystem. Now there are "Windows PCs" and "non-Windows PCs" on the hardware level. Microsoft has used its numbers to effectively get its own proprietary hardware platform (like Apple) without actually having to manufacture it. Which is the best of all possible worlds in that they can control a huge segment of the mobo/CPU market without having to "own" anything. A very handy argument to make when accused of anticompetitive business practices in the USA.

This could, of course, be easily eliminated as a problem if all the PC manufacturers would include a simple mechanism (a switch on the back of the case or a jumper on the mobo) to turn off UEFI without having to go through heroics. But I wouldn't hold my breath waiting to see that happen. I'm sure there will be some purely token hand wringing and breast beating on the part of certain manufacturers (Dell et al.) over this. But nothing of substance will emerge from it.

Last I read, in order to bear the Microsoft Certified tag - and have Windows preinstalled - all PCs and servers must ship with UEFI secure boot enabled. The end user has the option to switch from "standard" to "custom" secure boot mode after the fact. But Microsoft is a little vague about exactly what the ramifications might be for using Windows 8 in that scenario. The big question is whether or not Metro will be available if secure boot is disabled - and more to the point, will access to the Metro store (the only source for installing Metro apps) be allowed if secure boot is turned off?

However, if the machine is ARM based, secure boot (UEFI) must be enabled - and the manufacturers are specifically forbidden by Microsoft to provide or allow any mechanism (hardware, flashing, or software) to disable it.

So no...it's not exactly up to the manufacturer not to implement it if they plan on shipping machines with Windows pre-installed (OEM) - or if they want to even have Windows on an ARM based device.

It's a new business and software model for Microsoft. And (much like Apple) the 'choice' for both the consumers and the manufacturers seems to be to either accept the new terms as dictated - or do without. Or at least as of right now.

Bit of a change from the way things used to be. At least that's my tuppence.

----------

Note: the actual wording Microsoft uses can be found in their Windows 8 Hardware Certification Requirements (file=windows8-hardware-cert-requirements-system.pdf) which you can download from this webpage if you're interested. Information about secure boot starts on page 119.

So no...it's not exactly up to the manufacturer not to implement it if they plan on shipping machines with Windows pre-installed (OEM) - or if they want to even have Windows on an ARM based device.

I didn't think it was up to the manufacturer not to implement it- just to make it easily able to be disabled. And I (personally) don't see the arm requirement as that big of a dealbreaker as the ARM devices will be portable devices (most likely) where that isn't as big of a deal, at least IMO.

Quote

If the system ships with a UEFI-compatible OS, system firmware must be implemented as UEFI and it must be able to achieve UEFI boot mode by default. Such a system may also support fallback to legacy BIOS boot on systems with OS which do not support UEFI, but only if the user selects that option in a pre-boot firmware user interface. Legacy option ROMs also may not be loaded by default."Explicit User Action" means that end user (or in case of enterprise customer, the IT pro) must manually access the pre-boot firmware configuration screen and change the setting. It may not ship in the BIOS mode by default and programmatic methods which can be attacked by malware are not acceptable.

So it has to have it enabled (which I'd assume it would be if you're shipping a system with Windows installed), and not automatically fall back. Still doesn't seem like that big of a deal.

I don't think that Windows 8 will boot in such an environment from what I've read. So you have to accept it for using Microsoft's OS du jour, but not for any other OS.

Gary Richmond over at Free Software Magazine is considerably less worried than 40hz is about this. Read his take on the subject here.

Some highlights from the article:

Quote

UEFI and Windows 8: is this bad news for GNU/Linux?

Mon, 2011-10-31 04:08 -- Gary Richmond

There are times when I think that there is a special, darkened room at Microsoft peopled by a bunch of guys who seem to have nothing better to do than sit and think up some new wheeze to nobble the opposition. The rap sheet is an inditment in itself: trusted computing, internet driving licenses, DRM, bullying hardware vendors and attempting to strong arm sovereign nation states. You wouldn't think the list could get any bigger. It just has; but then, recidivism in incurable. It may not, as has often proved in the past, come to anything but if it does it would be a problematical for GNU/Linux. The irony is that it may not actually be intentional, but then, the universe is littered with the victims of the law of unintended consequences. So, what's the Hydra's latest head? UEFI. That's what....Much as it galls me to say it, for once Microsoft's motives may not be intentionally sinister. Essentially, the technology is designed to protect against rootkits, malware and other low-level attacks by preventing executables and drivers from being loaded unless they carry a cryptographic signature courtesy of a dedicated UEFI signing key. This would not constitute a specific attack on GNU/Linux as such. After all, secure booting won't allow even Windows users to load Windows 7 either. So, anyone who doesn't want/like Windows 8 won't have the option, unlike predecessors, to revert to an earlier release as people did with Vista and XP. See the electronic landfill sites fill up. (It would be interesting to know if using WUBI or EasyBCD to get the Windows bootloader to dual boot GNU/Linux distros would work with Windows 8. Askubuntu thinks so).

On that reading, Microsoft is spitting in the eye of their own customer base and it occurs to me that Microsoft's secure boot would also prevent Windows users from using recovery and diagnostic software too (though frankly, I can't muster much sympathy for people who pay for the privilege of being persistently shafted. They're being digitally bitch slapped.) ...To balance up things a bit, it has be argued that this is all an hysterical over reaction; a piece of FUD from the FOSS community. Ed Bott thinks so. He argues that Microsoft has no need to trifle with OSes like GNU/Linux that occupy less than five percent of the market, that it will always be niche and that the inability to boot it under UEFI will generate a deluge of irate calls to hardware vendor's support helplines and thus seriously erode razor-thin profit margins on each PC they sell. I actually think that's a very fair point but it fails to address that fact that if Microsoft insist that vendors will not be able to ship Windows 8 without their logo unless they enable secure boot and lock it down then profit margins really would nosedive. They would evaporate....One final thought: it might not be a bad idea to "stockpile" one very high spec laptop/desktop with a traditional BIOS to temporarily stave off the evil day when you have to bite the UEFI bullet. That should at least future proof matters for quite a few years and if things turn out well the UEFI hurdle will be cleared. I had planned to postpone a purchase of a new laptop until November next year. I might just bring that date forward.

In the meantime I agree with the runes of the blogsphere in the last few weeks. UEFI is a clear and present danger, intended or otherwise. We should be worried but it's not yet quite time to hit the panic alarm and start shouting rape. Not just yet. It all comes down to how the OEMS react so I'm keeping my batteries (and my bank account) fully charged. Just in case.

Don't think that Microsoft didn't come up with this "option" -- mandate in their terms -- not to piss off everyone else, but notably to make it virtually impossible to convert a store-bought machine from Windows ever again. It reminds me again that Microsoft can't make an honest buck from innovation, so they're shutting themselves inside their own little ecosystem of horrors where, if you don't join them, they'll impose yet another "Microsoft tax" ($99) on you.

Most everything evil on this planet in this century has been implemented under the guise of "security." Keep fighting the bastards, I say.

There needs to be another antitrust suit against Microsoft. Once again we find them taking technical measures to prevent people from using non-Microsoft software on their computer equipment.

With its industry-authored IP agenda (SOPA/PIPI/ACTA) in full swing, I don't think you can reasonably expect any action on the part of the US government to do anything that might seriously threaten Microsoft's control of the global PC market.

I think the US government would be willing to tolerate almost anything rather than let Microsoft get hurt right now. Especially since it's one of the few places where a US company still maintains such a degree of technical dominance.

One of the best ways to protect yourself from government interference is to become "too big to be allowed to fail." But an even better way is to follow in the footsteps of Ivan Boesky and position yourself in such a way that you couldn't be taken down without collapsing the entire business sector you're in.

Microsoft is too big and important to the US economy to be allowed to fail. And there's also no way you could seriously come down on Microsoft without the risk of the US computer industry losing its present control of the PC/desktop market.

Antitrust won't work because MS are not mandating that disabling is not allowed (at least on PCs).

Two simple solutions for OEMs:

1) Allow BIOS switch off of Secure Boot.2) Ship their boxes without OS - offer a choice of OS with purchase - Linux or Windows (not OEM edition). That would have the big advantage of really pissing off MS as Win 8 sales would not take off like they want when the real cost is transparent to consumers.